Application core switch DHCP relay increases security performance

The core switch is still quite common. So I studied how to use the DHCP relay of the core switch to increase security performance. I would like to share it with you here and hope it will be useful to you. In a LAN environment, network virus attacks are always inevitable. Once a workstation is accidentally infected with a network virus, it cannot access the Internet normally.

In addition, if you change the IP address at will, IP address conflicts may easily occur in the LAN. Once such a fault occurs, the workstation will not be able to access the Internet normally. In order to control the stability of Internet access, this article uses the DHCP relay proxy function in the layer-3 switch of the LAN to keep normal workstations away from ARP viruses and frequent IP address conflicts and faults!

Case requirements

A lan in a building has about 1000 network nodes. These nodes are evenly distributed on the 25 th floor, all the network nodes on each floor are connected to the H3C S3502 series L2 switches using cat6 Gigabit twisted pair wires, all L2 switches are directly connected to the H3C S8500 series core Switches of the LAN through a gigabit line. To facilitate the management and maintenance of the building network, network administrators divide these 1000 nodes into several VLANs. Because the core switch used by the building network does not support DHCP address allocation, the network administrator has installed a Windows 2003 Server and deployed a DHCP server.

At the beginning, the LAN of the building was able to run normally. However, it was not long before that the LAN frequently experienced failures due to ARP attacks and IP address conflicts, every time these phenomena occur, the network administrator shuttles between floors without a stop. Apparently, frequent ARP virus attacks and IP address conflicts not only make the network administrator suffer, but also compromise the stability of the building network. In view of this, the Organization's leadership asked the network administrator to find a way to effectively control the IP address of the building network to ensure the stable operation of the building network.

Preliminary plan

In order to meet the network control requirements put forward by leaders, several network administrators of the building network acted in different directions, consulted related solutions of multiple organizations, and searched a lot of information online, however, these solutions or content materials are not very suitable for the building network of the Organization. Later, after careful analysis and discussion, the network administrators decided to use the static ARP table function on the core switch of the enterprise network without increasing any investment, to bind all IP addresses in the LAN to the physical IP address of the NIC, so that no Internet user can change the IP address of the workstation at will, in addition to manually counting the physical addresses and IP addresses of NICs Of All workstations, you must also manually add their corresponding relationships to the static ARP table of the core switch, what's more troublesome is that these common workstations may be constantly updated and changed, so the implementation of such solutions is quite troublesome. In addition, for the Core switches of the H3C S8500 series, the static ARP table does not support more than 1000 records. In the end, this solution fails.

New Solution

Because no additional investment is required, the network administrator naturally does not expect help from professional tools or professional equipment. Instead, the network administrator can only hope for existing network equipment in the building network, the network administrator started to check the H3C S8500 core switch operation manual. After careful reading, the network administrator found the clues that the switch supports the DHCP relay proxy function, the Network Administrator is informed that when a common workstation accesses the DHCP server of the LAN and obtains a valid IP address through the DHCP relay proxy function of the core switch, this relay proxy function can automatically record the dynamic ing between the IP address of a common workstation and the physical address of the network adapter, and automatically generate a dynamic user address record table.

In addition, the DHCP relay proxy function of the core switch allows you to manually enter the correspondence record between the IP address and the physical address of the NIC, and generate a static user address record. To control network access security, the network administrator decides to enable the DHCP relay proxy function and enable the address match check function for addresses that support DHCP relay proxy, to restrict unauthorized users or computers containing viruses from configuring an IP address to access the network freely. In the future, as long as the IP address of a common workstation is recorded with the physical address of the network card, it does not appear in the dynamic address or static address record of DHCP relay, so the workstation cannot freely access the network of the unit building through the DHCP server, in this way, the Network Stability of the building can be controlled.

Solution implementation

After selecting the appropriate solution, it is naturally not that difficult to implement it. Because the DHCP relay proxy function is only valid for VLANs, we must perform the same control settings for each VLAN so that the workstations in the corresponding VLAN can always access the Internet stably, this article takes the control of VLAN 1's Internet stability as the operating blueprint, and describes the specific implementation steps to your friends:

First, enter the host system of the DHCP server as the system administrator, open the DHCP Console window of the corresponding system, and then enter the scope attribute Setting dialog box of the corresponding VLAN 1, in this section, the address pool of VLAN 1 is set based on the number of virtual network nodes, and other parameters are not described here. Secondly, remote logon is performed on the background management interface of the core switch, execute the "sys" command in the command line on this interface, switch the background system to the global configuration status of the system, and continue to execute the "inter vlan-interface 1" command under this configuration status, switches the system to the VLAN 1 interface mode;

In VLAN 1 interface mode, enter the string command "dhcp relay address-check enable" and click the Enter key, the IP address matching check function of the DHCP relay can be used normally on the VLAN 1 interface. Once this function is enabled, the common workstation cannot configure the IP address to access the Internet freely, therefore, the security and stability of network operations are effectively guaranteed.

Of course, some important computers in the LAN must use static IP addresses to access the Internet. To ensure that the IP address is not randomly occupied by others, you can manually bind the static IP address to the physical IP address of the NIC of an important host to the static user IP Address Configuration entry of the DHCP relay function, in this way, important hosts can always use static addresses for stable Internet access. For example, to add the relationship between 10.176.1.3 address and 55-66-88-77-33-77 address to the static user Address Configuration entry of the DHCP relay function, you can use the VLAN 1 interface mode, run the "dhcp relay security static 10.176.1.3 55-66-88-77-33-77" command.